2016-S2-SEC601-Lab 5 / Steganography

Exercise 1: Hiding Information within a File

Installed SilentEye, using the defaultslab-5-scsh2

Inspected the properties of the image file ‘gtslearning.jpg’ and noted both the file-size, as well as dates and times of ‘created’, ‘modified’ and ‘accessed’.lab-5-scsh3

Opened WinMD5 dragged ‘gtslearning.jpg’ into the ‘select a file’ box and so created a checksum for the file. Also copied this ‘current’ checksum into the ‘original’ checksum boxlab-5-scsh5

 Selected the ‘gtslearning.jpg’ file in the ‘SilentEye’ window and clicked ‘Encode’. Typed ‘SilentEye’ in the message boxlab-5-scsh6Set the ‘JPEG quality box’ to 100% and clicked ‘Encode’, then closed the ‘SilentEye’ window.

Typed ‘%homepath%’ in file explorer address bar to navigate to folder where ‘SilentEye’ output had been saved. Inspected the new file’s properties to find that the file that had just been created was significantly smaller (43.4 KB vs 683 KB)lab-5-scsh7

As expected the new file generated a completely different checksum, as seen belowlab-5-scsh8 

Exercise 2: Detecting Steganography

Opening previews of both files shows that the ‘new’ gtslearning.jpg has grey dots all over the black part of the picturelab-5-scsh9

When running the ‘xsteg’ application and selecting the ‘new’ image file, ‘xsteg’ detects a hidden messagelab-5-scsh10

 

 Exercise 3: Alternate Data Streams

Created a new Rich Text Document, according to instructions, calling it ‘MEMO’ adding ‘Alternate Data Streams’ as textlab-5-scsh11

 In properties noted the file-size (190 bytes) and date properties (2 min prior)lab-5-scsh12

Dragged the ‘MEMO.rtf’ file into WinMD5 to create checksum, and copied ‘current’ checksum into ‘original’ checksumlab-5-scsh13

 Opened command prompt and executed the commands given in the lab instructions, as seen belowlab-5-scsh14

 Inspecting the properties of the ‘MEMO’ file after executing the commands, shows that the file has been modified: file-size remained the same, but the ‘size on disk’ rocketed from 0 bytes to 380 KBlab-5-scsh15

However, the checksum hasn’t changed, since the file-size itself hasn’t changedlab-5-scsh16

Move the file to Documents folder, double-clicked to open the file, but the ‘Odysseus.exe’ doesn’t runlab-5-scsh17

 If however the below shown command prompt is run in the ‘Documents’ library, the ‘Odysseus’ setup wizard pops up and want to run the programlab-5-scsh18

Cancelled the wizard and opened ‘ADS Spy’ instead to scan the system for ‘Alternate Data Streams’lab-5-scsh19

 The scan found 3 executable ‘Odysseus’ files in memo.rtf and memo.lnk fileslab-5-scsh20Selected these files and had them removed

After deleting these files, tried to run memo.lnk shortcut again, but (as seen below) was told that the file couldn’t been foundlab-5-scsh21

 Exercise 4: Completing the Lab

The Client VM was reverted to the ‘pre-lab’ snapshot

Leave a comment